debian-mirror-gitlab/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

251 lines
8 KiB
Ruby
Raw Normal View History

2019-07-07 11:18:12 +05:30
# frozen_string_literal: true
2019-02-15 15:39:39 +05:30
require 'spec_helper'
2023-05-27 22:25:52 +05:30
RSpec.describe TokenAuthenticatableStrategies::Encrypted, feature_category: :system_access do
2019-02-15 15:39:39 +05:30
let(:model) { double(:model) }
let(:instance) { double(:instance) }
2023-05-27 22:25:52 +05:30
let(:original_token) { 'my-value' }
let(:resource) { double(:resource) }
let(:options) { other_options.merge(encrypted: encrypted_option) }
let(:other_options) { {} }
2019-02-15 15:39:39 +05:30
let(:encrypted) do
2023-05-27 22:25:52 +05:30
TokenAuthenticatableStrategies::EncryptionHelper.encrypt_token(original_token)
2021-04-29 21:17:54 +05:30
end
let(:encrypted_with_static_iv) do
2023-05-27 22:25:52 +05:30
Gitlab::CryptoHelper.aes256_gcm_encrypt(original_token)
2019-02-15 15:39:39 +05:30
end
2022-05-07 20:08:51 +05:30
subject(:strategy) do
2019-02-15 15:39:39 +05:30
described_class.new(model, 'some_field', options)
end
2022-05-07 20:08:51 +05:30
describe '#token_fields' do
2023-05-27 22:25:52 +05:30
let(:encrypted_option) { :required }
2022-05-07 20:08:51 +05:30
it 'includes the encrypted field' do
expect(strategy.token_fields).to contain_exactly('some_field', 'some_field_encrypted')
end
end
2019-02-15 15:39:39 +05:30
describe '#find_token_authenticatable' do
2023-05-27 22:25:52 +05:30
shared_examples 'finds the resource' do
it 'finds the resource by cleartext' do
expect(subject.find_token_authenticatable(original_token))
.to eq(resource)
end
end
shared_examples 'does not find any resource' do
it 'does not find any resource by cleartext' do
expect(subject.find_token_authenticatable(original_token))
.to be_nil
end
end
shared_examples 'finds the resource with/without setting require_prefix_for_validation' do
let(:standard_runner_token_prefix) { 'GR1348941' }
it_behaves_like 'finds the resource'
context 'when a require_prefix_for_validation is provided' do
let(:other_options) { { format_with_prefix: :format_with_prefix_method, require_prefix_for_validation: true } }
before do
allow(resource).to receive(:format_with_prefix_method).and_return(standard_runner_token_prefix)
end
it_behaves_like 'does not find any resource'
context 'when token starts with prefix' do
let(:original_token) { "#{standard_runner_token_prefix}plain_token" }
it_behaves_like 'finds the resource'
end
end
end
2021-04-29 21:17:54 +05:30
context 'when encryption is required' do
2023-05-27 22:25:52 +05:30
let(:encrypted_option) { :required }
let(:resource) { double(:encrypted_resource) }
2021-04-29 21:17:54 +05:30
2023-05-27 22:25:52 +05:30
before do
2022-04-04 11:22:00 +05:30
allow(model).to receive(:where)
.and_return(model)
2021-04-29 21:17:54 +05:30
allow(model).to receive(:find_by)
.with('some_field_encrypted' => [encrypted, encrypted_with_static_iv])
2023-05-27 22:25:52 +05:30
.and_return(resource)
2021-04-29 21:17:54 +05:30
end
2022-02-27 12:50:16 +05:30
2023-05-27 22:25:52 +05:30
it_behaves_like 'finds the resource with/without setting require_prefix_for_validation'
2021-04-29 21:17:54 +05:30
end
context 'when encryption is optional' do
2023-05-27 22:25:52 +05:30
let(:encrypted_option) { :optional }
let(:resource) { double(:encrypted_resource) }
2019-02-15 15:39:39 +05:30
2023-05-27 22:25:52 +05:30
before do
2022-04-04 11:22:00 +05:30
allow(model).to receive(:where)
.and_return(model)
2019-02-15 15:39:39 +05:30
allow(model).to receive(:find_by)
2021-04-29 21:17:54 +05:30
.with('some_field_encrypted' => [encrypted, encrypted_with_static_iv])
2023-05-27 22:25:52 +05:30
.and_return(resource)
2019-02-15 15:39:39 +05:30
end
2023-05-27 22:25:52 +05:30
it_behaves_like 'finds the resource with/without setting require_prefix_for_validation'
2019-02-15 15:39:39 +05:30
it 'uses insecure strategy when encrypted token cannot be found' do
allow(subject.send(:insecure_strategy))
.to receive(:find_token_authenticatable)
.and_return('plaintext resource')
2022-04-04 11:22:00 +05:30
allow(model).to receive(:where)
.and_return(model)
2019-02-15 15:39:39 +05:30
allow(model).to receive(:find_by)
2021-04-29 21:17:54 +05:30
.with('some_field_encrypted' => [encrypted, encrypted_with_static_iv])
2019-02-15 15:39:39 +05:30
.and_return(nil)
expect(subject.find_token_authenticatable('my-value'))
.to eq 'plaintext resource'
end
end
2021-04-29 21:17:54 +05:30
context 'when encryption is migrating' do
2023-05-27 22:25:52 +05:30
let(:encrypted_option) { :migrating }
let(:resource) { double(:cleartext_resource) }
2019-02-15 15:39:39 +05:30
2023-05-27 22:25:52 +05:30
before do
2022-04-04 11:22:00 +05:30
allow(model).to receive(:where)
.and_return(model)
2019-02-15 15:39:39 +05:30
allow(model).to receive(:find_by)
2023-05-27 22:25:52 +05:30
.with('some_field' => original_token)
.and_return(resource)
2019-02-15 15:39:39 +05:30
end
2023-05-27 22:25:52 +05:30
it_behaves_like 'finds the resource with/without setting require_prefix_for_validation'
2019-02-15 15:39:39 +05:30
end
end
describe '#get_token' do
2021-04-29 21:17:54 +05:30
context 'when encryption is required' do
2023-05-27 22:25:52 +05:30
let(:encrypted_option) { :required }
2021-04-29 21:17:54 +05:30
it 'returns decrypted token when an encrypted with static iv token is present' do
allow(instance).to receive(:read_attribute)
.with('some_field_encrypted')
.and_return(Gitlab::CryptoHelper.aes256_gcm_encrypt('my-test-value'))
expect(subject.get_token(instance)).to eq 'my-test-value'
end
it 'returns decrypted token when an encrypted token is present' do
allow(instance).to receive(:read_attribute)
.with('some_field_encrypted')
.and_return(encrypted)
2019-02-15 15:39:39 +05:30
2021-04-29 21:17:54 +05:30
expect(subject.get_token(instance)).to eq 'my-value'
2021-03-11 19:13:27 +05:30
end
2021-04-29 21:17:54 +05:30
end
context 'when encryption is optional' do
2023-05-27 22:25:52 +05:30
let(:encrypted_option) { :optional }
2021-03-11 19:13:27 +05:30
2019-02-15 15:39:39 +05:30
it 'returns decrypted token when an encrypted token is present' do
allow(instance).to receive(:read_attribute)
.with('some_field_encrypted')
.and_return(encrypted)
expect(subject.get_token(instance)).to eq 'my-value'
end
2021-04-29 21:17:54 +05:30
it 'returns decrypted token when an encrypted with static iv token is present' do
allow(instance).to receive(:read_attribute)
.with('some_field_encrypted')
.and_return(Gitlab::CryptoHelper.aes256_gcm_encrypt('my-test-value'))
expect(subject.get_token(instance)).to eq 'my-test-value'
end
2019-02-15 15:39:39 +05:30
it 'returns the plaintext token when encrypted token is not present' do
allow(instance).to receive(:read_attribute)
.with('some_field_encrypted')
.and_return(nil)
allow(instance).to receive(:read_attribute)
.with('some_field')
.and_return('cleartext value')
expect(subject.get_token(instance)).to eq 'cleartext value'
end
end
2021-04-29 21:17:54 +05:30
context 'when encryption is migrating' do
2023-05-27 22:25:52 +05:30
let(:encrypted_option) { :migrating }
2019-02-15 15:39:39 +05:30
it 'returns cleartext token when an encrypted token is present' do
allow(instance).to receive(:read_attribute)
.with('some_field_encrypted')
.and_return(encrypted)
allow(instance).to receive(:read_attribute)
.with('some_field')
.and_return('my-cleartext-value')
expect(subject.get_token(instance)).to eq 'my-cleartext-value'
end
it 'returns the cleartext token when encrypted token is not present' do
allow(instance).to receive(:read_attribute)
.with('some_field_encrypted')
.and_return(nil)
allow(instance).to receive(:read_attribute)
.with('some_field')
.and_return('cleartext value')
expect(subject.get_token(instance)).to eq 'cleartext value'
end
end
end
describe '#set_token' do
2021-04-29 21:17:54 +05:30
context 'when encryption is required' do
2023-05-27 22:25:52 +05:30
let(:encrypted_option) { :required }
2021-04-29 21:17:54 +05:30
it 'writes encrypted token and returns it' do
expect(instance).to receive(:[]=)
.with('some_field_encrypted', encrypted)
expect(subject.set_token(instance, 'my-value')).to eq 'my-value'
end
end
2023-03-04 22:38:38 +05:30
2021-04-29 21:17:54 +05:30
context 'when encryption is optional' do
2023-05-27 22:25:52 +05:30
let(:encrypted_option) { :optional }
2019-02-15 15:39:39 +05:30
it 'writes encrypted token and removes plaintext token and returns it' do
expect(instance).to receive(:[]=)
2021-04-29 21:17:54 +05:30
.with('some_field_encrypted', encrypted)
2019-02-15 15:39:39 +05:30
expect(instance).to receive(:[]=)
.with('some_field', nil)
expect(subject.set_token(instance, 'my-value')).to eq 'my-value'
end
end
2021-04-29 21:17:54 +05:30
context 'when encryption is migrating' do
2023-05-27 22:25:52 +05:30
let(:encrypted_option) { :migrating }
2019-02-15 15:39:39 +05:30
it 'writes encrypted token and writes plaintext token' do
expect(instance).to receive(:[]=)
2021-04-29 21:17:54 +05:30
.with('some_field_encrypted', encrypted)
2019-02-15 15:39:39 +05:30
expect(instance).to receive(:[]=)
.with('some_field', 'my-value')
expect(subject.set_token(instance, 'my-value')).to eq 'my-value'
end
end
end
end